itlawwikiaorg-20200214-history
Data breach
FISMA Under the Federal Information Security Management Act of 2002, data breach means "the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data."38 U.S.C. § 5727(4). General The term data breach is generally and broadly defined to include "an organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information, which can include personally identifiable information such as Social Security numbers, or financial information such as credit card numbers.GAO, Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown 2 (GAO-07-737 2007).http://www.gao.gov/new.items/d07737.pdf Specific instances of data breaches Numerous data breaches and computer intrusions have been disclosed by the nation’s largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Internet businesses. The Privacy Rights Clearinghouse chronicles and reports that over 251 million records containing sensitive personal information were involved in security breaches in the United States since January 2005.Privacy Rights Clearinghouse, "A Chronology of Data Breaches."http://www.privacyrights.org/ar/ChronDataBreaches.htm From February 2005 to December 2006, 100 million personal records were reportedly lost or exposed.Tom Zeller, "An Ominous Milestone: 100 Million Data Leaks," N.Y. Times, Dec. 18, 2006, at C3. In 2006 the personal data of 26.5 million veterans was breached when a VA employee’s hard drive was stolen from his home. In 2007 the retailer TJX Companies revealed that 46.2 million credit and debit cards may have been compromised during the breach of its computer network by unauthorized individuals.U.S. Securities & Exchange Comm'n, Form 10-K Annual Report: The TJX Cos., Inc.http://www.sec.gov/Archives/edgar/data/109198/000095013507001906/b64407tje10vk.htm In 2008 the Hannaford supermarket chain revealed that approximately 4 million debit and credit card numbers were compromised when Hannaford’s computer systems were illegally accessed while the cards were being authorized for purchase. There were 1,800 reported cases of fraud connected to the computer intrusion. Data breaches involving sensitive personal information may result in identity theft and financial crimes (e.g., credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment-related fraud, government documents or benefits fraud, loan fraud, and health-care fraud). Responses and remedies These public disclosures have heightened interest in the security of sensitive persosal information"Data Security Legislation Expected to Face Big Challenges," 8 BNA Privacy & Security Law Report, 51 (Jan. 12, 2009).; security of computer systems; applicability of federal laws to the protection of sensitive personal information; adequacy of enforcement tools available to law enforcement officials and federal regulators; business and regulation of data brokers''See'' U.S. Government Accountability Office, "Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data 56" (GAO-06-674, June 26, 2006).new.items/d06674.pdf; liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for costs arising from data breaches; remedies available to individuals whose personal information was accessed without authorizationSee Gina Marie Stevens, Federal Laws Related to Identity Theft (CRS Report RL31919).; prosecution of identity theft crimes related to data breaches; and criminal liability of persons responsible for unauthorized access to computer systems.See Charles Doyle, "Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws" (CRS Report 97-1025). References See also * Data breach analysis * Data breach notification laws * HITECH Act * Identity theft * In re TJX Companies Category:Privacy Category:Security Category:Computer crime